Privacy

What is the impact of the GDPR on your employee data?

GDPR General Data Protection Regulation personal data
news item photo

The General Data Protection Regulation (GDPR) describes how your company has to process personal data from the 25th of May 2018 onwards, without violating these individuals’ privacy. Perhaps you have, during your first efforts to become GDPR compliant, first had a look at external relationships, but this regulation also describes how you have to process the data of your own employees (and of applicants).

 

Why is it important to process your employee data GDPR compliant?

First of all: the penalties for not complying with the GDPR, are quite high. They can rise to a maximum of 2% (up to €10.000.000) or even 4% (up to €20.000.000) of the consolidated turnover. Second of all: when not complying with the law, your company also runs a risk of reputation damage.

When data protection authorities come to inspect your company (possibly after an internal/external complaint), they can also take a closer look at your employee data.

How do you process your employee and applicants data GDPR compliant?

Of your employees, you can store, process, send to the Social Secretariat … any data you want, on condition that you can prove that these data are required for, for example, payroll administration, evaluations, personnel planning …

In case of an external transfer of employee data, for example to the Social Secretariat, you are required to verify that these external parties are also GDPR compliant. Obtaining a signed processing agreement of the Social Secretariat is a minimum requirement.

For the use of employee data, you can, next to ‘explicit consent of the employee’, rely on some other legal grounds as well, such as: ‘needed for the execution of the employment contract’, ‘legal requirement’, ‘legitimate interest’ or ‘vital interest’ of the employee.

The GDPR is relatively abstract when it comes to the retention period of personal data: they cannot be stored longer than necessary for the realisation of the purposes for which they have been obtained. It is thus best to consider yourself whether it is still justified to store the data. If this is not the case, it is better to erase or anonymise the data. For certain documents, the retention period is described by law (in Belgium). For example: salary details with fiscal value (7 years), a copy of the ID of former employees (5 years), curriculum vitae and certificates (2 years). 

The data of applicants can be collected, stored and used as part of the application process. They can only be used to compare the applicants’ profiles with job openings, and not for commercial purposes. The data can also only be made available to people with a legitimate interest in the data, such as people from the HR department. The personal data can be stored for the entire duration of the application process, and – provided that you have obtained explicit consent – possibly for a longer term after the finalisation of the application process, if the applicant wishes to remain informed about future vacancies. 

It is also very important that all personal data are stored in a secured place, for example in a secured portal with a personal password, and that you can also prove this security – as everything mentioned above – during a possible inspection.

Your employees need to be informed

As a company, it is best to draw up a privacy policy, so that your employees and applicants are informed about which personal data are processed, why and what are they used for, how long they will be stored, and which rights your employees have concerning their personal data. It is also best to draw up a confidentiality agreement for all employees that have access to both external and internal personal data. Subsequently, it is recommended to check whether the existing HR procedures are “GDPR proof” and, if not, to adjust them.

Could you use some advice?

In case you have additional questions about the impact of the GDPR on your (employee) data, of in case you could use some help during the GDPR compliancy process of your company, we would love to hear from you! Send an email to frederik.vervoort@clipeum.be of give us a call at +32 473 91 05 80.

 

By: Frederik Vervoort - 9th of May 2018

share: